Operating System:

[WIN][UNIX/Linux]

Published:

17 June 2010

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2010.0544 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.0544
           Drupal Third Party-Modules: Multiple Vulnerabilities
                               17 June 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Ubercart payment (third-party module)
                   Studio theme pack (third-party theme)
                   Ubercart MIGS Payment Gateway (third-party module)
                   Content Construction Kit (CCK) (third-party module)
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Existing Account            
                   Unauthorised Access            -- Existing Account            
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://drupal.org/node/829412
   http://drupal.org/node/829414
   http://drupal.org/node/829528
   http://drupal.org/node/829566

Comment: This bulletin contains four (4) Drupal security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-062
  * Project: Ogone | Ubercart payment (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-June-16
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

- -------- DESCRIPTION  
- ---------------------------------------------------------

Ogone | Ubercart payment is a payment module for Ubercart that integrates
Ogone PSP gateway as a checkout method for Ubercart. The module does not
always correctly verify the order status returned by the Ogone gateway,
potentially allowing unpaid orders to be processed.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Ogone | Ubercart payment module for Drupal 5.x versions prior to 5.x-1.6
  * Ogone | Ubercart payment module for Drupal 6.x versions prior to 6.x-1.5

Drupal core is not affected. If you do not use the contributed Ogone |
Ubercart payment [1] module, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use the Ogone | Ubercart payment module for Drupal 5.x upgrade to
    Ogone | Ubercart payment 5.x-1.6 [2]
  * If you use the Ogone | Ubercart payment module for Drupal 6.x upgrade to
    Ogone | Ubercart payment 6.x-1.5 [3]

See also the Ogone | Ubercart payment project page [4].
- -------- REPORTED BY  
- ---------------------------------------------------------

  * Arjean [5]

- -------- FIXED BY  
- ------------------------------------------------------------

  * Kees Kodde (kees@qrios [6]), module maintainer

- -------- CONTACT  
- -------------------------------------------------------------

The Drupal security team [7] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/uc_ogone
[2] http://drupal.org/node/828320
[3] http://drupal.org/node/828318
[4] http://drupal.org/project/uc_ogone
[5] http://drupal.org/user/331955
[6] http://drupal.org/user/48715
[7] http://drupal.org/security-team

_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-063
  * Project: Studio theme pack (third-party theme)
  * Version: 6.x
  * Date: 2010-June-16
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

- -------- DESCRIPTION  
- ---------------------------------------------------------

Studio theme pack is a set of themes for use as a base in creating a new
theme. The Canvas-theme, part of Studio theme pack and used as base theme for
the Workspace and Paint themes, also included in Studio theme pack, does not
sanitize some of the user-supplied data before displaying it, leading to a
Cross Site Scripting (XSS [1]) vulnerability that may lead to a malicious
user gaining full administrative access.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Studio theme pack Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Studio theme
pack [2] theme, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use the Studio theme pack theme for Drupal 6.x upgrade to Studio
    theme pack 6.x-1.2 [3]

See also the Studio theme pack project page [4].
- -------- REPORTED BY  
- ---------------------------------------------------------

  * Pelle Wessman

- -------- FIXED BY  
- ------------------------------------------------------------

  * Al Steffen (Zarabadoo [5]), theme maintainer

- -------- CONTACT  
- -------------------------------------------------------------

The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Cross-site_scripting
[2] http://drupal.org/project/studio
[3] http://drupal.org/node/829292
[4] http://drupal.org/project/studio
[5] http://drupal.org/user/103935
[6] http://drupal.org/security-team

_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-064
  * Project: Ubercart MIGS Payment Gateway (third-party module)
  * Versions: 6.x
  * Date: 2010-Jun-16
  * Security risk: Critical
  * Exploitable from: Remote
  * Vulnerability: Web Parameter Tampering

The Ubercart MIGS Payment Gateway module provides support for the MIGS
3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and
various other banks worldwide for payment processing. This module was
susceptible to web parameter tampering [1] which allowed users to bypass
paying the full amount due on checkout. The amount paid was correctly
recorded against the order, but certain site configurations might allow
purchases to be delivered despite incomplete payment. This has been resolved
in the latest release, which also incorporates other features to match bank
requirements.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Ubercart MIGS Payment Gateway for Drupal 6.x prior to uc_migs-6.x-1.2.

Drupal core is not affected. If you do not use the contributed Ubercart MIGS
module, there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use uc_migs for Drupal 6.x upgrade to uc_migs-6.x-1.2 [2].

See also the Ubercart MIGS Gateway project page [3].
- -------- REPORTED BY  
- ---------------------------------------------------------

Chris Burgess [4], the uc_migs maintainer.
- -------- FIXED BY  
- ------------------------------------------------------------

Chris Burgess
- -------- CONTACT  
- -------------------------------------------------------------

The security contact for Drupal can be reached at security at drupal.org or
via the form at http://drupal.org/contact.

[1] http://www.owasp.org/index.php/Web_Parameter_Tampering
[2] http://drupal.org/node/828614
[3] http://drupal.org/project/uc_migs
[4] http://drupal.org/user/76026

_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-065
  * Project: Content Construction Kit (CCK) (third-party module)
  * Version: 5.x, 6.x
  * Date: 2010-June-16
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Access Bypass

- -------- DESCRIPTION  
- ---------------------------------------------------------

The Content Construction Kit (CCK) project is a set of modules that allows
you to add custom fields to nodes using a web browser. The CCK "Node
Reference" module can be configured to display referenced nodes as hidden,
title, teaser or full view. Node access was not checked when displaying these
which could expose view access on controlled nodes to unprivileged users. In
addition, Node Reference provides a backend URL that is used for asynchronous
requests by the "autocomplete" widget to locate nodes the user can reference.
This was not checking that the user had field level access to the source
field, allowing direct queries to the backend URL to return node titles and
IDs which the user would otherwise be unable to access. Note that as Drupal 5
CCK does not have any field access control functionality, this issue only
applies to the Drupal 6 version.
- -------- VERSIONS AFFECTED  
- ---------------------------------------------------

  * Content Construction Kit (CCK) module for Drupal 5.x versions prior to
    5.x-1.11
  * Content Construction Kit (CCK) module for Drupal 6.x versions prior to
    6.x-2.7

Drupal core is not affected. If you do not use the contributed Content
Construction Kit (CCK) [1] module, together with any node or field access
module there is nothing you need to do.
- -------- SOLUTION  
- ------------------------------------------------------------

Install the latest version:
  * If you use the Content Construction Kit (CCK) module for Drupal 5.x
    upgrade to Content Construction Kit (CCK) 5.x-1.11 [2]
  * If you use the Content Construction Kit (CCK) module for Drupal 6.x
    upgrade to Content Construction Kit (CCK) 6.x-2.7 [3]

See also the Content Construction Kit (CCK) project page [4].
- -------- REPORTED BY  
- ---------------------------------------------------------

  * recrit [5]
  * Marc Ferran (markus_petrux) [6], module co-maintainer

- -------- FIXED BY  
- ------------------------------------------------------------

  * Yves Chedemois (yched) [7], module co-maintainer
  * Marc Ferran (markus_petrux) [8], module co-maintainer
  * Karen Stevenson (KarenS) [9], module co-maintainer

- -------- CONTACT  
- -------------------------------------------------------------

The Drupal security team [10] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/cck
[2] http://drupal.org/node/828986
[3] http://drupal.org/node/828988
[4] http://drupal.org/project/cck
[5] http://drupal.org/user/452914
[6] http://drupal.org/user/39593
[7] http://drupal.org/user/39567
[8] http://drupal.org/user/39593
[9] http://drupal.org/user/45874
[10] http://drupal.org/security-team

_______________________________________________

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFMGWjf/iFOrG6YcBERApSDAKCFaDtKVqAfQgczvQjLLt2PVo2ehACgsPI9
RDVCl0ra+k1sqO3FZ4wyovM=
=64KG
-----END PGP SIGNATURE-----